REST API and User Information List Permissions and Breeze.js
-
30-09-2020 - |
Domanda
Users who are not site collection admins can read from the User Information List without any issues when using http://server.domain.com/_vti_bin_/ListData.svc/UserInformationList
but these users get a 404 error when accessing it via http://server.domain.com/_api/web/lists/getbytitle('User Information List')
. Site collection admins do not receive a 404 error. Would anyone have any idea why this might be and if there is a work around for this specific end point?
I know that I could use _api/web/siteusers
but this is not really preferable when using Breeze.js's SharePoint adapter as it is apparently expecting me to specify the title of a list and I am trying to be consistent in my data context.
EDIT: Actually the siteusers
end point does not provide the same data, it really only has a subset. What I have done as a work around was modify my datacontext
object to use $http
and ListData.svc
rather than using breeze. Since I am never modifying the user data it's ultimately not that big of a deal but I'd still like to figure out a better way to do this as ListData.svc
is deprecated.
Soluzione
I suppose _vti_bin/ListData.svc
and _vti_bin/client.svc
(_api
) endpoints have different logic for permission checks.
I can reproduce your problem, while logged as a site admin I can access the list, but not as a normal user:
_api/web/lists/getbytitle('User Information List')
What I also have found in the result, is a new (third) link to that hidden list:
_api/web/SiteUserInfoList/
With this link non-site-admins can access the same information. I know you wanted a unified access to that list for you breeze.js sp adapter. But perhaps, this could be a workaround without needing to go back to the old ListData.svc endpoint.